[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation

Vernon Schryver vjs at rhyolite.com
Tue Mar 5 15:29:12 UTC 2013

> From: Matthijs Mekking <matthijs at nlnetlabs.nl>

> > The paper says that RRL does well against "varying query attacks"
> > for non-existent names or NXDOMAIN responses.  The problem with
> > "varying query attacks" for valid names is that as far as the DNS
> > server can determine, a "varying query attack" for valid names is
> > the same as the request stream from a perfectly legitimate recursive
> > resolver used by many stub resolvers.  Blocking or dampening
> > legitimate responses to the recrusive resolvers of large ISPs would
> > be unacceptable except for hobby DNS servers.
> Yes, the attack looks like legitimate traffic, which is the reason why
> it is hard to detect. You probably can only differentiate between legit
> traffic and an attack because of the increased traffic load.

Increased traffic can come from many legitimate causes.  For example,
if a large ISP restarts some of its recursive resolvers, those resolvers
temorarily increase their load because their caches will be empty.
There will be also be increased load when an Internet outage is fixed.

Second, we are not mitigating attacks on authoritative servers.  Attacks
on authoritative servers matter, but are irrelevant here.  The many
past DNS DoS reflection attacks that have overloaded the reflecting
servers have been errors by attackers.

To say what I tried to say before but was unclear, the problem is not
to detect and mitigate attacks.  It is always easy to solve such
problems if you ignore false positives and collateral damage.  Instead,
the problem is to mitigate attacks without harming legitimate traffic.
We must try to follow the doctor's oath to "First do no harm."

> > I don't have words for the notion of blocking or dampening DNSSEC
> > responses in the name of security.
> Nobody is saying that.

On the contrary, many people have said that, although they did not
understand that they were saying it.  There have been many suggestions
block or dampen based on response size.  Blocking or dampening based
on response size implies blocking or dampening of DNSSEC, because
DNSSEC responses are 5 to 30 times larger.

> I think both "varying query attacks" and distributed attacks are serious
> problems. In both cases the goal of the attacker is to maintain
> undetected by the name server.

No, the main goal of the attacker is to attack the victim.  Remaining
undetected at the reflecting DNS server is at most a secondary goal.
Solving the wrong problem is a serious and common error.  Turning off
ANY requests is a nearby example.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list